California just raised the baseline for security in the Internet of Things… to a degree. Governor Jerry Brown has signed very similar Assembly and Senate bills that require hardware makers to include “reasonable” security measures for connected devices. All gadgets will require at least some kind of protection against unauthorized data access. If they connect to the internet, they’ll require either a preset password “unique to each device manufactured” or else the ability to generate a new authentication method (such as a custom password) on initial setup. You shouldn’t see hackers compromise legions of security cameras or routers simply because they’re using the same default password.
The two laws take effect on January 1st, 2020, so there’s time for tech firms to build the features into their products.
Some industry groups are anxious about the laws. The California Manufacturers and Technology Association (which includes companies like AT&T, Intel and Honeywell) told Government Technology in a statement that the state was “imposing undefined rules” and had allegedly created a “loophole” that let imported devices avoid the rules. The Entertainment Software Association, meanwhile, claimed that existing laws already covered reasonable privacy protection.
However, that’s not how the politicians see it. Senator Hannah-Beth Jackson, who introduced one of the bills, noted that foreign companies will still have to meet the standards regardless of where they make their devices. This is also about leaving companies to use “best judgment” for security on their own devices, she said.
You probably won’t see devices with airtight security as a result of this. There’s no mandates for encryption, for example. However, that’s not really the goal here. This is more about preventing rookie mistakes, such as connected toys that transmit data with few if any safeguards. Cyberattackers may still get through — they’ll just have fewer obvious targets.